The Python folks have discovered a flaw in SimpleXMLRPCServer that can
affect any XML-RPC servers. This affects any programs have been written
that allow remote untrusted users to do unrestricted traversal and can
allow them to access or change function internals using the im_* and
------- Bug moved to this database by firstname.lastname@example.org 2005-03-30 18:31 -------
This bug previously known as bug 2421 at https://bugzilla.fedora.us/
Originally filed under the Fedora Legacy product and Package request component.
Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
This bug either had no qa contact or an invalid one.
Corresponding fixed Python packages were annouced in
http://rhn.redhat.com/errata/RHSA-2005-109.html which has classification
There is a package for RH7.3 at
These sources include a fix for CAN-2005-0089, and also for other SSL security
issues (lifted from updates to RHEL) and a fix for pcre issues (CAN-2005-2491,
Neither python-1.5.2-... packages, nor python-xmlrpc-1.5.1-7.x.3, for RH7.3
seem to be affected by CAN-2005-0089. It does not look that the code in
question, or something similar, is there.
For other distributions it seems that a fix for CAN-2005-0089 will be
either the same or very similar as applied here. In any case a code from
corresponding RHEL update sources will apply.
(Michal and Jim - hope you don't mind my adding you to the cc: for this bug.)
Since Michal has proposed the python2-2.2.2-188.8.131.52.legacy.src.rpm packages as
a fix not only for the this bug report's issue, but also for the CAN-2005-2491
pcre issue (handled in Bug #169235), I suggest we re-title 169235 to be
"CAN-2005-0089 CAN-2005-2491 python multiple security issues" and continue all
work on CAN-2005-0089 there. We can make this bug report's success depend on
That way we can track all of python's pending security issues in one bug report
rather than two. Would you mind changing the title of 169235, Jim?
David, Thank you for adding me to this bug. For the record I would rather be
added than deleted. ;-)
I have renamed 169235 as you proposed.
I'm closing this bug if we continue tracking on #169235.
*** This bug has been marked as a duplicate of 169235 ***